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Abstract. We present a hack that creates a binary file executable both 
on Windows and ELF-based systems. It can be used to create software 
installers and other applications not exceeding 64 kilo bytes. The technique 
can also be exploited by multi-host viruses. 



1. The Technique 

As Windows is backwards compatible with DOS, it can execute the struc- 
turally simple .corn-file format. When a .corn-file is loaded by Windows (or 
DOS), it merely loads the file to memory position 0x100 and executes it. 

The ELF-header (used in Linux, and many other Unix-like systems) starts 
with the byte code ("magic number") 0x7F45. This is jg 0x47 in X86 Opcode. 
Thus, if the file is executed in Windows - it will load the file to 0x100 and jump 
to 0x147. 

The ELF-header is exactly 52 bytes long. From /usr/include/elf .h in a 
Linux installation, we have 
typedef struct 
{ 

unsigned char e_ident [EI_NIDENT] ; /* Magic number and other info */ 
Elf32_Half e_type; /* Object file type */ 
Elf32_Half e_machine; /* Architecture */ 
Elf32_Word e_version; /* Object file version */ 
Elf32_Addr e_entry; /* Entry point virtual address */ 
Elf32_0ff e_phoff; /* Program header table file offset */ 
Elf32_0ff e_shoff; /* Section header table file offset */ 
Elf32_Word e_flags; /* Processor-specific flags */ 
Elf32_Half e_ehsize; /* ELF header size in bytes */ 
Elf32_Half e_phentsize; /* Program header table entry size */ 
Elf32_Half e_phnum; /* Program header table entry count */ 
Elf32_Half e_shentsize; /* Section header table entry size */ 
Elf32_Half e_shnum; /* Section header table entry count */ 
Elf32_Half e_shstrndx; /* Section header string table index */ 
} Elf32_Ehdr; 

For reference, Elf 32_Half is 16 bits, Elf 32_Word is 32 bits and Elf 32_0ff 
is also 32 bits on the 32 bits X86. If we choose the program header to start 
directly after this ELF-header, our file continuous as 
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typedef struct 
{ 

Elf32_Word p_type; /* Segment type */ 
Elf32_0ff p_offset; /* Segment file offset */ 
Elf32_Addr p_vaddr; /* Segment virtual address */ 
Elf32_Addr p_paddr; /* Segment physical address */ 
Elf32_Word p_filesz; /* Segment size in file */ 
Elf32_Word p_memsz; /* Segment size in memory */ 
Elf32_Word p_flags; /* Segment flags */ 
Elf32_Word p_align; /* Segment alignment */ 
} Elf32_Phdr; 

defined in /usr/include/elf . h. This brings us to a total header size of 0x54. 

This means the 0x47'th byte is 13 bytes before the header ends. These bytes 
specify the size of the file and can thus be chosen in such a way that the instruc- 
tions executed are harmless. Example of the situation is given by the following 
code. 

00000047 0000 add [bx+si] , al 

00000049 1000 adc [bx+si] , al 
0000004B 00909090 add [bx+si+0x9090] , dl 
0000004F 90 nop 

where the 0x90 instructions (bop) are padded to get us to an instructional 
boundary. If executed in DOS, we are now in control and can e.g. exit the 
program. 

00000050 B44C mov ah, 0x4c 
00000052 CD21 int 0x21 

2. Applications 

The . com-binary format has a 64 kilo bytes size limitation. This limits the 
applicability of our technique. However, for many applications, an Internet 
connection would suffice. 

If executed in Linux (or in principle any other ELF-based X86 system) - we 
have access to the system interrupt int 0x80. This gives us basic network and 
file access. We can even access any external libraries (such as the X- Windows 
system) through standard means. 

However, once executed in Windows, we only have access to DOS. However, 
once a DOS-program tries to execute a Windows program through int 0x21 - it 
will run in Windows. Thus we can either supply a separate file which somehow 
includes a windows executable, or - more elegantly - include code to generate a 
Windows executable and execute it. 

A proof of concept is found at folk.uio.no/steffen/kapok.tar.gz. 



